Firefox 27 Looks to Boost Web Security

A new beta milestone of Firefox will fully support TLS 1.2 and a host of other new capabilities that could make the open-source Web browser safer.

Mozilla is now out with its first beta milestone release of the open-source Firefox 27 Web browser. The new beta release comes just days after the official general availability of Firefox 26, which included 14 security advisories and new click-to-play functionality.
Security once again is top of mind for the Firefox browser, and Firefox 27 will be the first browser from Mozilla to include default support for the Transport Layer Security (TLS) 1.2 specification. TLS is a cornerstone Internet security technology that is the successor to Secure Sockets Layer (SSL). TLS 1.2 was first defined in August 2008, offering security enhancements over prior versions of TLS and SSL.
"Like new versions of most software, shipping TLS 1.2 is an upgrade to TLS with improvements, additional extensions to TLS, and support for new and stronger ciphers," Sid Stamm, privacy and security engineer at Mozilla, told eWEEK. "Without getting into the weeds, it is the next logical step in offering sites support for the latest standards with the protections they want."
With support for TLS 1.2 in Firefox 27, Mozilla will be joining its rival browser vendors in the effort to bring the next generation of transport security forward. Google Chrome 30, which was released in October, and the recently released Microsoft Internet Explorer 11 and Apple Safari 7 browsers currently support TLS 1.2.

Mozilla has been talking about implementing full support for TLS 1.2 since at least February 2009 and has limited support for TLS 1.2 in Firefox 26, though the feature is disabled by default.

"TLS version and features are negotiated as a handshake between Firefox and Websites," Stamm said. "Supporting these new versions will improve Firefox compatibility for the sites that already try to use it."
Stamm added that Mozilla did not remove support for older versions of TLS and SSL and, as such, Websites can still fall back to those. That said, Mozilla is encouraging site developers to adopt TLS 1.2 to take maximum advantage of the best security features available.
Another security feature set to land in Firefox 27 is support for sandboxing iFrames. An iFrame is an HTML element that enables a site developer to embed code from another site into a given Web page.
"iFrame sandboxing is an opt-in feature that allows Websites to better isolate themselves from pages they embed," Gavin Sharp, lead Firefox engineer at Mozilla, told eWEEK. "Firefox has supported this feature for over a year now, but what's new in the new Firefox Beta is that we additionally support the 'allow-popups' directive, allowing the sandboxing to be used in more cases."
One way that Web developers sometimes try to secure and minimize their JavaScript code is by hiding or obfuscating it. Obfuscated code, however, can also sometimes be a barrier to development, and so with Firefox 27 there will now be a built-in tool to help de-obfuscate JavaScript in the code debugger.
Sharp said that Mozilla's DevTools team has a simple goal: build great tools that make developers' lives easier.
"Built-in code de-obfuscation in the debugger fits the bill: It's a big help when debugging code on production pages that use 'minified' code, for example," Sharp said.
Minified code is a popular programming technique used to reduce size by removing all unnecessary characters and spaces.
Looking forward even further than Firefox 27, work is now beginning on Firefox 28 and future versions. For Firefox 28, one of the early highlights is that it is expected to finally be optimized for Microsoft's Windows 8 operating system.
Mozilla is also continuing to work on overhauling its entire Firefox browser interface as part of an effort called "Australis." Sharp said that all of the Australis work is currently focused on the Nightly channel of Mozilla Firefox development. Mozilla has a beta channel and Aurora (alpha) channel and then the Nightly Channel for bleeding-edge development.
"Given the feedback so far, we're very excited to get the [Australis] feature to our Aurora and Beta users as soon as possible," Sharp said.
Firefox 27 is currently available as a freely downloadable beta, with general availability expected in February 2014.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.